RedHat has issued an advisory today (August 6): https://rhn.redhat.com/errata/RHSA-2014-1011.html The RedHat bug has links to upstream commits and indicates it was fixed in 3.0.9: https://bugzilla.redhat.com/show_bug.cgi?id=1107901#c8 Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Dropped from cauldron.
Whiteboard: MGA4TOO, MGA3TOO => (none)Version: Cauldron => 4CC: (none) => mageia
Probably on its way back to Cauldron, but it is fixed in SVN there. Patch checked into Mageia 4 SVN.
Patched package uploaded for Mageia 4. Verifying that the updated packages install cleanly is sufficient for testing this update. Advisory: ======================== Updated resteasy packages fixes security vulnerability: It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks (CVE-2014-3490). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3490 https://rhn.redhat.com/errata/RHSA-2014-1011.html ======================== Updated package in core/updates_testing: ======================== resteasy-3.0.1-3.1.mga4 resteasy-javadoc-3.0.1-3.1.mga4 from resteasy-3.0.1-3.1.mga4.src.rpm
Assignee: dmorganec => qa-bugs
MGA4-64 on HP Probook 6555b No installation issues, apart from the surprise that this package calls +400 dependencies on my fairly default KDE workstation installation.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA4-64-OK
MGA4-32 on Acer D620 Xfce installation. No installation issues, same surprise as above.
Whiteboard: MGA4-64-OK => MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded. Please push to updates Thanks
Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0547.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED